Problem Description

Remote HTML injection into extension UI (potential RCE in extension context)

• The extension fetches an update “notice” from https://ext.scriptcat.org/ and renders it as raw HTML via React dangerouslySetInnerHTML.
• Evidence:
  • Fetch: src/pages/popup/App.tsx:369
  • Render: src/pages/popup/App.tsx:485
  • Same update-check fetch in SW: src/app/service/service_worker/index.ts:113
• Impact: if ext.scriptcat.org is compromised, misconfigured, or a malicious insider controls responses, they can
  inject scriptable HTML into the extension UI. In an extension with broad permissions (tabs/cookies/<all_urls>),
  that’s effectively a “developer-controlled remote code execution / data exfil” channel.
• Recommended mitigation: do not render server-provided HTML. Render as plain text, or sanitize with a strict
  allowlist (no script, no event handlers, no javascript: URLs, no inline styles) before display.

This potential RCE vulnerability is so severe that I will not use Scriptcat because of it.

Reproduction Steps

n/a

ScriptCat Version

0

Operating System and Browser Information

n/a

Additional Information (Optional)

No response